For a while now, my PKI in Aerospace
Consulting company has been working on finding ways to
make PKI more usable. From the "Relying Party" side of the
equation, I think we're getting fairly close. Between some
of the advances that others have made (such as Microsoft
CAPI now doing Path Discovery and Validation mostly
correctly), and our own work on writing an open source Path
Discovery and Validation Daemon that can be used by
programs like Apache and
Free
Radius, I think there is very little reason why
someone could not actually build a site and fully use
certificates for authentication (especially with the certificate
information patches that we've just published for
Apache).

Now, the problems we're seeing are on the pure client
side, such as in browsers, mail
clients, VPN clients, or wireless clients in the open source
world. The nice thing about the proprietary world of
Microsoft and Apple is that they, for the most part, all use
their platform certificate store (CAPI on Microsoft, and the
KeyChain on Apple). In the open source world, certificates,
keys and trust anchors can be just about anyplace. And, most
annoyingly, even applications built by the same projects
don't even use the same certificate stores (I'm looking at
you, Firefox and Thunderbird, and you too KMail and
Konqueror). So, consider this a call for someone (maybe the
LSB folks) to come up with a full standard that everyone can
adopt for both trust anchors and user keys/certificates, and
then please, please, everyone use that1.

[1] - Yes, I know WHY Firefox and Thunderbird have their own
store: so that they don't have to implement per-platform
solutions, thereby easing their FIPS validation. At the
very least, they COULD implement a common certificate store
used by both (and any other LibNSS-using application). At
least then I wouldn't have to install all of my certificates
twice. If the Mozilla folks wanted to really endear
themselves to the community, they would also, once a single
store is in place, at least give an install-time
option for those that need it to use the system certificate
stores, instead of the LibNSS specific store.